Operationalizing Threat Intelligence

Quote: “In this global fight against cyber crime, hacktivism and espionage, organizations must begin to evolve their cyber risk and security capabilities across the organization”

Businesses and governments continue to struggle with effectively and efficiently defending their organization and constituents from cyber attacks. The impact of cyber attacks is global and is a threat to national economic growth. A report recently published by the Potomac Institute for Policy Studies estimates that cyber attacks against the Group of Twenty (G20) alone has resulted in the loss of 2.5 million jobs to counterfeiting and piracy and that governments and consumers lose $125 billion annually, including losses in tax revenue.

To address the impact of cyber attacks to brand, reputation, and operations, the security industry is evolving its defensive techniques through the use of threat intelligence. The goal of threat intelligence bears a close resemblance to business intelligence. Just as business intelligence is utilized to drive optimum performance into a business function, threat intelligence provides an organization with the ability to better address risks and threats in a more proactive, effective and efficient manner. It can provide valuable information to adjust security controls, proactively manage threats to brand and risk, and improve the time to detect and remediate threats. It provides a degree of situational awareness and visibility that has been lacking in the industry because the focus of threat intelligence starts outside the perimeter of an organization where as to date we have focused on defending the perimeter and leveraging internal information and logs to detect, respond and recover. While these are valuable artifacts of defending the enterprise, threat intelligence can provide the necessary information to improve the effectiveness of these existing technologies as well as drive more proactive and efficient processes in managing risks across the organization. However, just like any growing market, solutions vary so buyers must be able to discern between what is intelligence versus just information and how to consume versus operationalize this potentially valuable asset.

The first thing that must be distilled is the difference between information and intelligence. Both can be valuable; however, how that value is extracted will depend on your resources and program maturity. Threat information or data usually contains artifacts of a threat. This information can be valuable and leveraged to aid detection systems, incident response and other existing capabilities, but that information in and of itself does not constitute intelligence.

Threat intelligence is the use of information as mentioned earlier as well as other critical elements that add context and provide deeper understanding of the threat. These include targeted industries or companies, capabilities, sophistication of the attacker, knowledge of risk to non-IT security elements of the organization such as physical, executive, brand and reputation, or context that takes threat information and data and derives relevance directly to inform internal organizational knowledge and critical focus areas. Threat intelligence is usually derived through the evaluation of information. How that information is used to proactively manage the associated risks or the context by which a threat is or may be employed against an organization can be used as a means to proactively prepare to defend against the threat or risk versus purely react. Organizations can also use incidents and the information along with artifacts discovered during the incident response process to feed direct knowledge and intelligence back into the organization to better defend against future uses of these specific attack vectors and/or its tactics, techniques and procedures.

How threat information versus threat intelligence is operationalized also varies. Threat information alone or derived threat information in the form of technical indicators from overarching threat intelligence can be used to bolster existing technical defense mechanisms. Those indicators can be used to enrich internal log information, network transaction correlation (i.e. NetFlow) or pushed into other security devices. The challenge is that all threats have a lifespan. Security devices do not have infinite processing and storage capability to know which threats are active and relevant to your organization. This information is critical in being able to leverage that data within the constraints of existing systems. Threat intelligence can help with the necessary context to make informed and relevant decisions on what information should be leveraged in those devices and systems. Threat intelligence also goes a step beyond by providing critical insight into the risks that an organization may be facing from phishing, impersonation, physical and executive risks, brand, reputation and intellectual property protection. This type of vetted and finished intelligence is leveraged in a different fashion than the artifacts associated with technical indicators of more traditional IT security threats. Operationalizing these forms of intelligence requires having the ability or capability to detect these types of risks born on the open Internet and ‘dark’ web. This type of intelligence can put an organization in a much better position to proactively respond and manage risks and threats facing the broader organization.

In this global fight against cyber crime, hacktivism and espionage, organizations must begin to evolve their cyber risk and security capabilities across the organization. Threat intelligence can be a critical component in that evolution. You just need to understand how and where your organization can benefit the most from threat information and intelligence. Remember that how you integrate threat information and intelligence into your organization can happen in phases and in different functional areas, not just traditional IT security.